OpenVPN connection Ubuntu Linux

Ever feel like Linux users are somewhat neglected in the VPN world? While most VPN services readily cater to Windows, macOS, Android, and iOS users, the Linux community often gets the short end of the stick. However, this doesn’t spell the end for secure, private browsing on your Linux system.

Despite the scarcity of native VPN apps for Linux, especially Linux Mint, there’s a way around this. Sure, it requires rolling up your sleeves and diving a bit deeper into your system settings, but the payoff is worthwhile. In this guide, we’ll walk you through setting up an OpenVPN client connection on Linux Mint via the Network Manager, step by step.

Given that Linux Mint is built on Ubuntu, which itself is a derivative of Debian, our guide holds relevance for users of any Debian-based distro that employs Network Manager. Rest assured, our recommendations are backed by thorough research and extensive testing. This ensures you can establish a secure VPN connection, even in a Linux environment often overlooked by VPN providers.

OpenVPN configuration files

In order to do this, you’re going to need to download your VPN provider’s OpenVPN configuration files (.ovpn).

Typically, a provider that supports Linux but that doesn’t supply a native Linux client will make its OpenVPN configuration files available. The same goes for VPN providers that support routers.

Some VPN providers, while having native client apps for a particular platform, still make their OpenVPN configuration files available to enable users of said platform to connect using third-party clients.

So, in a nutshell, if your VPN provider supports Linux (without a native client), supports routers, or allows its users to connect using third-party clients, odds are it will make its OpenVPN configuration files available for download. And these can be used to create a VPN connection over Linux, using the Network Manager – which is considered a third-party client.

Supported VPN providers

As found in our guide to setting up an OpenVPN connection in pfSense, here’s a list of VPN providers that make their OpenVPN configuration files available. NordVPN is Comparitech’s top-rated VPN and tops the list of best VPNs for Linux.

The first thing you need to do is download your VPN provider’s OpenVPN configuration files. Once you’ve got them, you should have everything you need. You’ll also need your login credentials, which are usually—but not always—the same as the email and password you used to sign up for the VPN.

If you’ve got all of the above, you’ve got everything you need to set up an OpenVPN client connection in Linux Mint.

About Linux Mint

Linux Mint is a popular, community-driven Linux distribution based on Ubuntu and Debian. It’s a top choice for those seeking an alternative to Windows or MacOS. This is thanks to its user-friendly and powerful operating system.

First developed in 2006, Linux Mint has matured into a robust platform, built on proven software layers like the Linux kernel, GNU tools, and the MATE desktop. It’s designed to make everyday tasks easier for regular users, offering a vast collection of software and well-integrated services.

The desktop experience is based on GNOME 2, but Linux Mint has also invested in MATE and Cinnamon, two alternatives to GNOME 3, ensuring its future adaptability. The latest version, Linux Mint 21, codenamed Vanessa, with security updates until 2027.

Linux Mint is easy to install, customizable, and compatible with a wide range of hardware. However, some users have reported issues with certain graphics cards. However, this can usually be resolved by using the “Compatibility Mode” boot option or an earlier release.

In a nutshell, Linux Mint is a free, robust, and user-friendly operating system, offering a wealth of features and customization options, making it an excellent choice for both home users and businesses.

Configuring an OpenVPN connection from the Network Manager

There are two ways to configure an OpenVPN connection in Linux Mint: automatically or manually. We’re going to go through both.

Configuring an OpenVPN connection automatically

  1. From the Desktop, click the Network Manager icon, at the bottom right of the screen. The Network Connections window appears.Mint - Click Network Manager
  2. Click the + at the bottom left of the window. The Connection Type window is displayed.Mint - Click Plus
  3. From the drop-down list, select Import a saved VPN configuration… The file browser appears.Mint - Import VPN Configuration
  4. Navigate to the location where you saved your provider’s OpenVPN configuration files and select the .ovpn file of the server to which you want to connect.Mint - File Browser
  5. You’re taken back to the Connection Type window. Click Create.Mint - Click Create
  6. The Settings window for your new VPN connection is displayed. Enter your username and password and click Save. If your provider only requires a username, a client identifier, or an account number, and doesn’t require a password, just type anything in the password field. Don’t leave it blank.Mint - Enter Credentials
  7. By clicking the icon to the right of the password field, you can select The password is not required. However, in my experience, you’ll still be prompted for a password regardless of whether or not this option is selected.Mint - Password
  8. Click Save. Your OpenVPN connection is now configured. Close the Connection Type window.Mint - Click Save
  9. To enable your VPN new connection, from the Desktop, click the Network Manager icon, at the bottom right of the screen and simply toggle your VPN connection on.Mint - Enable VPN
  10. Upon successful connection, you’ll see a notification appear stating that you’re now connected to the VPN.Mint - Connection Notification
  11. You can verify that your IP address has been changed by using the Comparitech IP Address Check Tool.Mint - Comparitech Check IP

We can see that I now have an Australian IP address.

That was the automatic way. But you can also create your connection manually. Knowing how to configure your OpenVPN connection manually can help you if something goes wrong and you need to troubleshoot.

Configuring an OpenVPN connection manually 

As was the case with the automatic configuration, you’re going to need your VPN provider’s OpenVPN configuration files to set up the connection manually.

Once you have the .ovpn files, you’re going to need to create individual files for your CA certificate and your TLS key (if required).

  • The CA certificate: The VPN provider has a Certificate Authority that validates connections to its VPN servers. To configure a VPN client in Linux Mint, you’re going to need your provider’s CA certificate. It looks like this:Mint - Example CA
  • The TLS key: Some VPN providers also require a TLS key to initiate a client connection to their servers. It is often referred to as a static key. If your VPN provider requires a static key to establish an OpenVPN connection, you’re going to need that as well. It looks like this:Mint - Static Key

All of these elements are found in the .ovpn configuration files. Refer to the images above if you’re not sure what each of them looks like. You’re going to copy each of them to a text file and then save the text files with a particular extension.

  • CA certificate – .crt extension
  • TLS key – .key extension

Here’s how my files look:

Mint - Manual Files

To configure our VPN connection manually, we’re going to need more than just the CA certificate and the TLS key. But the OpenVPN configuration files contain every other piece of information we need as well.

We’re ready to start.

  1. From the Desktop, click the Network Manager icon, at the bottom right of the screen. The Network Connections window appears.Mint - Click Network Manager
  2. Click the + at the bottom left of the window. The Connection Type window is displayed.Mint - Click Plus
  3. From the drop-down list, select OpenVPN.Mint - Manual - Select OpenVPN
  4. You’re taken back to the Connection Type window. Click Create.Mint - Manual - Click Create
  5. The Settings window for your new VPN connection is displayed. Give the connection a name and enter the VPN server hostname or IP address in the Gateway field, followed by  a colon and the port number. vpnserver.com:2049, for example.Mint - Manual - Edit Connection
  6. Under Authentication, set the Type field to Password. Enter your username and password and click Save. If your provider only requires a username, a client identifier, or an account number, and doesn’t require a password, just type anything in the password field. Don’t leave it blank.Mint - Manual - Filled In - No Cert
  7. As above, by clicking the icon to the right of the password field, you can select The password is not required but in my experience, it still prompts you for a password regardless of whether or not this option is selected.Mint - Manual - Password Not Required
  8. Click the CA certificate field. The file browser appears. Navigate to the CA.crt file you created earlier and select it.Mint - Manual - Add CRT
  9. Click the Advanced button. The advanced options are displayed.Mint - Manual - Advanced - General
  10. If your VPN provider uses data compression, tick Data compression and select the type of compression from the drop-down menu.
  11. Tick Set virtual device type, leave it set to TUN, and set the name to tun.
  12. Go to the Security tab.Mint - Manual - Advanced - Security
  13. If your VPN provider supports different encryption ciphers, you can manually select your cipher here. If not, leave it set to Default.
  14. Go to the TLS Authentication tab. Setting the TLS Authentication options is not required if your VPN provider doesn’t use TLS authentication and does not provide a TLS key.Mint - Manual - Advanced - TLS
  15. Select your provider’s Server Certificate Check method and enter the Subject Match. This is found in the .ovpn configuration file.
  16. Tick Verify peer (server) certificate usage signature and leave the setting to Server.
  17. Under Additional TLS authentication or encryption, select either TLS-Auth or TLS-Crypt, based on the options supported by your VPN provider.
  18. Click the Key File field. The file browser appears. Navigate to the TLS.key file you created earlier and select it.
  19. Click the Key Direction field and select 1 from the drop-down menu.
  20. Click OK. You’re taken back to the main Settings window for your VPN connection.
  21. Click Save. Your OpenVPN connection is now configured. Close the Connection Type window.Mint - Manual - Click Save
  22. To enable your VPN new connection, from the Desktop, click the Network Manager icon, at the bottom right of the screen and simply toggle your VPN connection on.Mint - Enable VPN
  23. Upon successful connection, you’ll see a notification appear stating that you’re now connected to the VPN.Mint - Connection Notification
  24. You can verify that your IP address has been changed by using the Comparitech IP Address Check Tool.Mint - Check IP

You now know how to connect to your VPN provider over Linux, using the Network Manager. And there’s no hard limit on the number of connections you can store. When you want to connect to one of the configured VPN servers, from the Network Manager, simply choose the server you want to connect to and toggle it on.

But we’re not done yet. There’s still one more required step to complete to secure your traffic. To make sure that your traffic doesn’t leak out unencrypted if your VPN connection should ever drop, we’re going use iptables to create a VPN kill switch for our connection. Iptables is a firewall for Linux distributions.

We’re going to run some commands in the terminal to do this. If you’re new to Linux, the Terminal might seem scary at first but learning to use it will greatly help you in mastering your Linux Fu.

Here’s a good article to read if you’d like to learn more about iptables and how to use it.

Configuring a VPN kill switch with iptables

Most native VPN client apps from VPN providers include a kill switch. A kill switch will block all traffic from exiting your device if the VPN connection should ever drop. It’s a great feature for security and privacy.

In this section, we’re going to show you how to configure your own VPN kill switch, using iptables, a well-known Linux firewall.

Installing iptables-persistent

  1. Disconnect the VPN.
  2. Launch the Terminal. We’re going to start by installing iptables-persistent.
  3. In the Terminal window type: sudo apt update. Enter your password and press Enter. This will update your package repositories.
  4. Type: sudo apt install iptables-persistent. Enter your password if prompted. You will be prompted to type Y or N to install the package or to abort the installation. Type Y. The package is installed.

The iptables rules are saved in two files, one for IPv4 rules and one for IPv6 rules. The files are:

  • /etc/iptables/rules.v4
  • /etc/iptables/rules.v6

We’re going to start with our IPv4 rules.

Configuring an IPv4 VPN kill switch

  1. Type: sudo nano /etc/iptables/vpn-rules.v4 to create a new IPv4 rules file for our VPN.
  2. Enter your password if prompted. An empty file is displayed.
  3. Copy the following to your file, but insert the IPv4 address of your VPN server instead of <VPN server IPv4 address> and the VPN server’s port instead of <VPN server port>:

*filter

-A OUTPUT -o tun0 -j ACCEPT

-A OUTPUT -d <VPN server IPv4 address> --dport <VPN server port> -j ACCEPT

-A OUTPUT -j DROP

COMMIT

  1. Press Ctrl+X to save and exit. Type Y when asked to save the file.

What these rules do is allow traffic out from the VPN interface, allow a connection to the VPN server via the default route, and then block everything else.

Configuring an IPv6 VPN kill switch

If your VPN provider supports IPv6 (most don’t), you can do the same thing for IPv6 traffic.

  1. In the Terminal window, type: sudo nano /etc/iptables/vpn-rules.v6 to create a new IPv6 rules file for our VPN.
  2. Enter your password if prompted. An empty file is displayed.
  3. Copy the following to your file, but insert the IPv6 address of your VPN server instead of <VPN server IPv6 address> and the VPN server’s port instead of <VPN server port>:

*filter

-A OUTPUT -o tun0 -j ACCEPT

-A OUTPUT -d <VPN server IPv6 address> --dport <VPN server port> -j ACCEPT

-A OUTPUT -j DROP

COMMIT

  1. Press Ctrl+X to save and exit. Type Y when asked to save the file.

Dropping IPv6 traffic

If your VPN provider doesn’t support IPv6, I recommend creating rules to drop that traffic altogether.

  1. In the Terminal window, type:sudo nano /etc/iptables/vpn-rules.v6 to create a new IPv6 rules file for our VPN. Enter your password if prompted. An empty file is displayed.
  2. Copy the following to your file:

*filter

:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0]

COMMIT

Now, all we need to do is to load our new rules files so the iptables will apply them.

Loading IPv4 firewall rules

In the Terminal window, type:

sudo iptables-restore > /etc/iptables/vpn-rules.v4

Loading IPv6 firewall rules

In the Terminal window, type:

sudo ip6tables-restore > /etc/iptables/vpn-rules.v6

And there you go. You now have a working OpenVPN connection in Linux Mint. You can easily enable and disable your connection using the Network Manager. And you’ve also configured a VPN kill switch, using iptables. If your VPN connection should drop, traffic from your device won’t go out, unencrypted, to the internet. All traffic from your device will be blocked.

If you’re looking for a high-quality VPN that supports Linux, check out our dedicated article on the best VPNs for Linux.